ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsSecurityLoggingOrganizationsS3

AWS SAP-C02 · Question 66 · Domain 1.2: Security Controls

A company is using AWS Organizations. They want to implement a centralized logging solution where all AWS CloudTrail logs and VPC Flow Logs from 100+ member accounts are sent to a single Amazon S3 bucket in a dedicated 'Log Archive' account. The security team wants to ensure that no one, not even the administrators of the member accounts, can modify or delete the logs once they are written. Which solution is the MOST secure and scalable?

Answer options:

A.

Create an Organization Trail in the management account. Configure VPC Flow Logs in member accounts to send to the central S3 bucket. Enable S3 Object Lock in compliance mode on the central bucket.

B.

Create a Service Control Policy (SCP) that denies the 's3:DeleteObject' action and attach it to all member accounts.

C.

Configure CloudTrail and VPC Flow Logs in each member account to write to local S3 buckets. Use S3 Cross-Region Replication to copy them to the central bucket.

D.

Enable AWS Config in the management account to monitor the integrity of the CloudTrail logs.

How to approach this question

Combine centralized logging (Organization Trail) with cryptographic immutability (S3 Object Lock).

Full Answer

A.Create an Organization Trail in the management account. Configure VPC Flow Logs in member accounts to send to the central S3 bucket. Enable S3 Object Lock in compliance mode on the central bucket.✓ Correct
Create an Organization Trail in the management account. Configure VPC Flow Logs in member accounts to send to the central S3 bucket. Enable S3 Object Lock in compliance mode on the central bucket.
For centralized, immutable logging at scale, you should use an AWS Organizations Organization Trail. This automatically creates a trail in all member accounts that logs to a central S3 bucket, and member account admins cannot modify the trail configuration. To ensure the logs themselves cannot be deleted or tampered with by ANYONE (including the admin of the Log Archive account), you must enable S3 Object Lock in Compliance mode on the destination bucket.

Common mistakes

Relying on SCPs or IAM policies, which can be modified by highly privileged users, unlike S3 Object Lock.
65All questions67

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →